Microsoft has disrupted a major phishing-as-a-service (PhaaS) operation known as RaccoonO365, used by cybercriminals worldwide to steal thousands of Microsoft credentials. The takedown followed a court order allowing Microsoft to seize 338 websites linked to the malicious campaign.
RaccoonO365, a subscription-based phishing kit priced at $365 per month, enabled attackers to mimic Microsoft branding in emails, attachments, and websites to deceive victims. The service targeted up to 9,000 email addresses daily and was designed to bypass multi-factor authentication protections.
In a joint effort with Cloudflare, Microsoft revealed that the tool had been used to steal at least 5,000 Microsoft credentials across 94 countries. Attackers lured victims through emails containing QR codes or links leading to fake Microsoft login pages after a CAPTCHA verification step.
Microsoft identified Joshua Ogundipe, a Nigerian national, as the primary developer and operator of RaccoonO365. Ogundipe allegedly marketed and sold the phishing tool via a Telegram group, receiving at least $100,000 in cryptocurrency from subscribers. The group behind the kit is still active on Telegram, according to Microsoft.
Cloudflare, which assisted in the takedown, said that the group abused its infrastructure to evade detection and launched phishing attacks using impersonated brands like Adobe, DocuSign, Maersk, and others. Many of the malicious files mimicked HR documents or invoices and included victims' names in the filenames.
Cloudflare also suggested a collaboration between the group behind RaccoonO365 and Russian-speaking cybercriminals based on the use of Russian in a Telegram bot's name, though Microsoft didn’t confirm the possible link.